From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Sun, 25 May 2025 16:08:05 -0700 Received: from mail-oa1-f59.google.com ([209.85.160.59]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uJKRl-0005c8-1o for bitcoindev@gnusha.org; Sun, 25 May 2025 16:08:05 -0700 Received: by mail-oa1-f59.google.com with SMTP id 586e51a60fabf-2d4e42a2b2bsf1472752fac.0 for ; Sun, 25 May 2025 16:08:00 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1748214475; cv=pass; d=google.com; s=arc-20240605; b=UsrUGK2vGWMOJIJk6iBjULtrxzwLQVCNyGrGxXySzVJjVw4NY93z1QixhgOg6DN6Cl 7at7ZIEsW2ofk4BGvRiLbKwLyhYPXlffHoLz6Q5pU1ukshJ0P522IZbSSHpywPlVSjTa G3RgeX1vgailqMPycJIaZ84dThsLEKEWDlG1YGiO1OsJPd9UOLd7nKRmH/G8ZrJ1tUgX 1NtmT+LjjRETn+Xyfoajl1bpfqpkQfVB53p4vgGRlIGa5i/6egfdcZiKzYkWxoJwYNuJ kv4g/hNL74M0jApBj/8wKpIR17KCHzf7ofgjVd/ZP5XcoNw24Z7dWBm5/rlaXZDVs26V mGvg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature :dkim-signature; bh=7vRLLmSgPt8docH0LG5VcZBxCNttFEuqOcs7qwpd7GM=; fh=CnLbW9ymE2RD1on+QfBfXJJ7qPs9Hah8Q+b3IuSN6AY=; b=JXXMhvVxIBIdkOGIC0biGuNkYg231N0Wt6pE7FLTi1zkseueu5LCEKlV396HNio44M Ya9L+l5M+G4TYitUOTpEfBPXse1KMoHcZaWHLb7GBopNVH9EWeCFu45LogcgOs7APc2z 43T7VtgGjyN5VHxz9l0fkjtZnGSsTBEpV/mcUUFZO2s5MuVPazpN851zjn7GJiL2TGMu HXeLj85qUxyDjoj7Mgy3rb6MUEtZi+nNS+uPLsFu0hR843kDnHTaipwFO7H+tL8qTtfW W548hs1Xwz7kJUMVDX9u3IVOPHFnhwjnWrfMhNBDPQI7FAmzsxIQMymZ2jkLSNnNHEat /INA==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=fMXp+TMf; spf=pass (google.com: domain of dustinvonsandwich@gmail.com designates 2607:f8b0:4864:20::c36 as permitted sender) smtp.mailfrom=dustinvonsandwich@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1748214475; x=1748819275; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=7vRLLmSgPt8docH0LG5VcZBxCNttFEuqOcs7qwpd7GM=; b=SRMCCnA+gagsGzs2Szl20D9sgZJychpVZWgCWEBrVzDl50xpAxSIje738XlaI+KWGp OnGLjj0Sh+Pnr2fIN3DCiaqvZGqo2FZQfwPmnQlCiSlZGOuY1MkvjI+Va0SxryMSseKd YDKHiL2jNF6TrWDTOgw1Ge05NolslL5k560KWBqge7euGhEKnPr/FG139oXndXcDkXZ9 Hl1o2v1/owUl/A+4B0XFbs6iZdCWxLcgAUPYLmcfUxna5qeXzgfz/f1/aoOVsT3cYcJN GX9KGLqe1rw88VUR1zYfXM05CfG6bsICF92pwHQlW6odFo70eSywGZnB6EH4dw/4402P kSnQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1748214475; x=1748819275; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7vRLLmSgPt8docH0LG5VcZBxCNttFEuqOcs7qwpd7GM=; b=NKjhJTcDUn1rgjPw1nOQFekyhEnDn5sTmkTj87Pm8PbYWMCBlknkSouELrnjoheLgn VQCZUentvRIX3PdxWB72QIGQpcbp9BMAIQL78C7hQnwIzqRClLtypTNzDvthxLWeZVH+ DKL6nZAeF2hQWwyJZTLKMSaz4Q5h+5sW6mjMM+3ftYR4jGqIyEPXQ+VVAeCTgfAU7xZb Mnh0e5hZYIvswUqkbrYGy+5fuuUHEro75AAq7nXWwbp2XKSPua//qrwTkWh/2Qz4uNze ywkVk2N1eUzfXKdMf6KxkU8d6jxlbXE5iuRuMtqa7i0vsIbUy635ItKN2kc3HBRCVhqI kJSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748214475; x=1748819275; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=7vRLLmSgPt8docH0LG5VcZBxCNttFEuqOcs7qwpd7GM=; b=dOu3KWBlcWQvtt50lWJC+eMzD9W+CbN9gWFPRU7QXove0vOMhW8XsMM8NX4gf3uIxe IMawU5v0U5EbW5Oo81/N+fnrNRFXGZU8n7g41P5Hz2gcAytJxj5ucP6j5SZYRayilpRa myRDujHmfd35WpZMMi9mV0J0yJk6C/XHHcdkxjkg3nT3uFEUfiZFSM9hPjJlCDG7PU+P lV4hHhnKop/w9dYrNA/n3J10TjKd2U4vNDSXkg7+h5Sfwjlmuifzgy6s4Hhq6T0Fh4w/ u5OtDYxWQSyju7YDg/IJtJhHyd9eVKh9x6oFZUOb8R7K3AnnAHYJRWDP2/t6sQxQcHqU mbRw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCXBW0M8wYsPmqKmeNs7FuGDX1rZ/qe3l+MPUEKy9qc9P2SNuAG/qq8pgVAM6oKom/plQwt88rr0DocO@gnusha.org X-Gm-Message-State: AOJu0Yy2llZo9j23nZq5B31Uekr3cLihadMgytXqEpwXWqSbNPrh9VIW orY3rg0y4AeLQHFlC+XB6LCQOtm7EVLM8YhwMy9+1Iu+LnsRttdFJOzA X-Google-Smtp-Source: AGHT+IE2By1pjjzo15L/ENng2YS4wjjdYP7rFT/fUd3i1hXWSa1sgoiMDyQFdtZ0a6v8Hje0KVt7fQ== X-Received: by 2002:a05:6871:2b1a:b0:2c2:489d:887 with SMTP id 586e51a60fabf-2e861ea48a8mr3517120fac.17.1748214474875; Sun, 25 May 2025 16:07:54 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AVT/gBEY624cVvr+Ui776AXbonaKjRLT6JnsP6DD6WOhOEZWkA== Received: by 2002:a05:6870:b20e:b0:29f:bc7e:8f4e with SMTP id 586e51a60fabf-2e85fa5da8els765383fac.1.-pod-prod-05-us; Sun, 25 May 2025 16:07:50 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXlbFFR2to5NL2rpvM1o0OlhONA2y3jr1N4SnqpJWfiRDmK/fY3q64DC4k7raZ/gbwNatM2YpIbicJT@googlegroups.com X-Received: by 2002:a05:6808:8711:20b0:406:2bb4:99db with SMTP id 5614622812f47-40646855bd5mr2957995b6e.35.1748214470671; Sun, 25 May 2025 16:07:50 -0700 (PDT) Received: by 2002:a05:6808:2a02:b0:3f9:f009:458e with SMTP id 5614622812f47-404da0f7d23msb6e; Sun, 25 May 2025 16:04:00 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUH2jcWKTYcZFSqnUiWIPpQK0SO4U2t2zCs6JhAk0A+CD2mI1lIjb8HPtFEj2cuCKQ7+LwTD0V3Dxg4@googlegroups.com X-Received: by 2002:a05:6602:389a:b0:85d:b7a3:b84d with SMTP id ca18e2360f4ac-86cbb8bee3emr522166139f.13.1748214239267; Sun, 25 May 2025 16:03:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1748214239; cv=none; d=google.com; s=arc-20240605; b=C/hYCH/ZVWaIYQx36yzRRHiXk6wc5JGJVjTL8jFPKXzdEAaNU0LDFqOhZppV0srWAF Ij8gABg96iyLk0rFxTmWhcYVe74llEpdJrztw+YQgjTtWgaK6klIWcaC+UmN2nCzoxCb +IpgT5XqbHH4jZmEX/IU7aW+zGJstE3yiHC7+10WMlljg6VJsu7D4Fb1F4rIJDqrWyvh NZvLjmcuOOkOGfS6LW0nsU1xfw6EOHX2gl7555+ETopSV1blU2VJESRxAc0ez1ssC+Dc 10PsSkkdebjXClPuq14z0xBwlXefin7g22Lbn47vqPtrKH0HLpiULsLG6imy+xwWckDX E6Jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=XsNBH6x/ugqjlIVo2Cy5T5jMXHAwbUlLZq3CoUbIaiE=; fh=rgn+95X47RN4G6Pbbcj7taFeCVvAqQH0Tt+jA50zGm8=; b=LV0OHhP7X7sVrG/NHvz6/osgYTjokqhAtvMUNc08blhFpBFVeHDnA8gcRXwF90clJV 9FCPSZyMxG8e3qFWWPZEITW0XOvvh56eiWnmeKl1pf4qDIqrrfgqeTpWH9N6aq9YStwh MIvTXHyHffAxof6YcTXxGyDUGp1wpTEinrctmf2ETZJRYzV5RIgKAUlAs9zakn9ZtrIJ 1jOb6qKRf505JTt4U5dKXQ6/oqavIKp8vosIaqc/so0K3AhlkW8W2Syz34B7Kek4vEgd eVCs/ZsOFI5mzLh1PMdf/iUeOQtt95q4mAKS7wvpLbKarYnT4qQJleRvtkY3dIbDfguM SvzA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=fMXp+TMf; spf=pass (google.com: domain of dustinvonsandwich@gmail.com designates 2607:f8b0:4864:20::c36 as permitted sender) smtp.mailfrom=dustinvonsandwich@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-oo1-xc36.google.com (mail-oo1-xc36.google.com. [2607:f8b0:4864:20::c36]) by gmr-mx.google.com with ESMTPS id ca18e2360f4ac-86a235e06aesi87792539f.1.2025.05.25.16.03.59 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 25 May 2025 16:03:59 -0700 (PDT) Received-SPF: pass (google.com: domain of dustinvonsandwich@gmail.com designates 2607:f8b0:4864:20::c36 as permitted sender) client-ip=2607:f8b0:4864:20::c36; Received: by mail-oo1-xc36.google.com with SMTP id 006d021491bc7-601b6146b9cso754522eaf.0 for ; Sun, 25 May 2025 16:03:59 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCX2npodi8fTMcT4cMqAsWZqzO/nq9Zk0fdL2y/yE6BQUF8XxgXJsILxVddlKYlYzEvLY1wH3mAjlnLu@googlegroups.com X-Gm-Gg: ASbGncvQ52fc8IlGqjfPWABeROlPcFtgJ1NQEMjKha8Cn7iwxrBoHf5QIMJh8sjQ4bg MNc6xvDjSUcbD5qXUEuRI6xFyE/Z9s7EmZrGwk+aTbCeR70bB4J/AZqswTezAm0GF1cdSj/XTam GT2lXdFlrSJqefo7v1bd0HULsGlLwLtm34KVg= X-Received: by 2002:a05:6870:e92:b0:2c1:c821:c836 with SMTP id 586e51a60fabf-2e861eb6a07mr3786027fac.22.1748214238553; Sun, 25 May 2025 16:03:58 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dustin Ray Date: Sun, 25 May 2025 16:03:46 -0700 X-Gm-Features: AX0GCFvIrGbUbNPnnh6SKKZeWRX5apnMD2eNZVnW_TQk7EkD_k-f6xG49wsIizU Message-ID: Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin To: conduition Cc: Agustin Cruz , AstroTown , bitcoindev@googlegroups.com Content-Type: multipart/alternative; boundary="000000000000ae2c4f0635fdd818" X-Original-Sender: Dustinvonsandwich@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=fMXp+TMf; spf=pass (google.com: domain of dustinvonsandwich@gmail.com designates 2607:f8b0:4864:20::c36 as permitted sender) smtp.mailfrom=dustinvonsandwich@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: 0.0 (/) --000000000000ae2c4f0635fdd818 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable The difference between the ETH/ETC split though was that no one had anything confiscated except the DAO hacker, everyone retained an identical number of tokens on each chain. The proposal for BTC is very different in that some holders will lose access to their coins during the PQ migration under the confiscation approach. Just wanted to point that out. On Sun, May 25, 2025 at 3:06=E2=80=AFPM 'conduition' via Bitcoin Developmen= t Mailing List wrote: > Hey Saulo, > > You're right about the possibility of an ugly split. Laggards who don't > move coins to PQ address schemes will be incentivized to follow any chain > where they keep their coins. But those who do migrate will be incentivize= d > to follow the chain where unmigrated pre-quantum coins are frozen. > > While you're comparing this event to the ETH/ETC split, we should remembe= r > that ETH remained the dominant chain despite their heavy-handed rollback. > Just goes to show, confusion and face-loss is a lesser evil than allowing > an adversary to pwn the network. > > This is the free-market way to solve problems without imposing rules on > everyone. > > > It'd still be a free market even if quantum-vulnerable coins are frozen. > The only way to test the relative value of quantum-safe vs > quantum-vulnerable coins is to split the chain and see how the market > reacts. > > IMO, the "free market way" is to give people options and let their money > flow to where it works best. That means people should be able to choose > whether they want their money to be part of a system that allows quantum > attack, or part of one which does not. I know which I would choose, but > neither you nor I can make that choice for everyone. > > regards, > conduition > On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz < > agustin.cruz@gmail.com> wrote: > > I=E2=80=99m against letting quantum computers scoop up funds from address= es that > don=E2=80=99t upgrade to quantum-resistant. > Saulo=E2=80=99s idea of a free-market approach, leaving old coins up for = grabs if > people don=E2=80=99t move them, sounds fair at first. Let luck decide, ri= ght? But I > worry it=E2=80=99d turn into a mess. If quantum machines start cracking k= eys and > snagging coins, it=E2=80=99s not just lost Satoshi-era stuff at risk. Ple= nty of > active wallets, like those on the rich list Jameson mentioned, could get > hit too. Imagine millions of BTC flooding the market. Prices tank, trust = in > Bitcoin takes a dive, and we all feel the pain. Freezing those vulnerable > funds keeps that chaos in check. > Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=99s heart.= If quantum tech can > steal from you just because you didn=E2=80=99t upgrade fast enough, that = promise > feels shaky. Freezing funds after a heads-up period (say, four years) > protects that idea better than letting tech giants or rogue states play > vampire with our network. It also nudges people to get their act together > and move to safer addresses, which strengthens Bitcoin long-term. > Saulo=E2=80=99s right that freezing coins could confuse folks or spark a = split > like Ethereum Classic. But I=E2=80=99d argue quantum theft would look wor= se. > Bitcoin would seem broken, not just strict. A clear plan and enough time = to > migrate could smooth things over. History=E2=80=99s on our side too. Bitc= oin=E2=80=99s > fixed bugs before, like SegWit. This feels like that, not a bailout. > So yeah, I=E2=80=99d rather see vulnerable coins locked than handed to wh= oever > builds the first quantum rig. It=E2=80=99s less about coddling people and= more > about keeping Bitcoin solid for everyone. What do you all think? > Cheers, > Agust=C3=ADn > > > On Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown w= rote: > >> I believe that having some entity announce the decision to freeze old >> UTXOs would be more damaging to Bitcoin=E2=80=99s image (and its value) = than having >> them gathered by QC. This would create another version of Bitcoin, simil= ar >> to Ethereum Classic, causing confusion in the market. >> >> It would be better to simply implement the possibility of moving funds t= o >> a PQC address without a deadline, allowing those who fail to do so to re= ly >> on luck to avoid having their coins stolen. Most coins would be migrated= to >> PQC anyway, and in most cases, only the lost ones would remain vulnerabl= e. >> This is the free-market way to solve problems without imposing rules on >> everyone. >> >> Saulo Fonseca >> >> >> On 16. Mar 2025, at 15:15, Jameson Lopp wrote: >> >> The quantum computing debate is heating up. There are many controversial >> aspects to this debate, including whether or not quantum computers will >> ever actually become a practical threat. >> >> I won't tread into the unanswerable question of how worried we should be >> about quantum computers. I think it's far from a crisis, but given the >> difficulty in changing Bitcoin it's worth starting to seriously discuss. >> Today I wish to focus on a philosophical quandary related to one of the >> decisions that would need to be made if and when we implement a quantum >> safe signature scheme. >> >> Several Scenarios >> Because this essay will reference game theory a fair amount, and there >> are many variables at play that could change the nature of the game, I >> think it's important to clarify the possible scenarios up front. >> >> 1. Quantum computing never materializes, never becomes a threat, and thu= s >> everything discussed in this essay is moot. >> 2. A quantum computing threat materializes suddenly and Bitcoin does not >> have quantum safe signatures as part of the protocol. In this scenario i= t >> would likely make the points below moot because Bitcoin would be >> fundamentally broken and it would take far too long to upgrade the >> protocol, wallet software, and migrate user funds in order to restore >> confidence in the network. >> 3. Quantum computing advances slowly enough that we come to consensus >> about how to upgrade Bitcoin and post quantum security has been minimall= y >> adopted by the time an attacker appears. >> 4. Quantum computing advances slowly enough that we come to consensus >> about how to upgrade Bitcoin and post quantum security has been highly >> adopted by the time an attacker appears. >> >> For the purposes of this post, I'm envisioning being in situation 3 or 4= . >> >> To Freeze or not to Freeze? >> I've started seeing more people weighing in on what is likely the most >> contentious aspect of how a quantum resistance upgrade should be handled= in >> terms of migrating user funds. Should quantum vulnerable funds be left o= pen >> to be swept by anyone with a sufficiently powerful quantum computer OR >> should they be permanently locked? >> >> "I don't see why old coins should be confiscated. The better option is t= o >>> let those with quantum computers free up old coins. While this might ha= ve >>> an inflationary impact on bitcoin's price, to use a turn of phrase, the >>> inflation is transitory. Those with low time preference should support >>> returning lost coins to circulation." >> >> - Hunter Beast >> >> >> On the other hand: >> >> "Of course they have to be confiscated. If and when (and that's a big if= ) >>> the existence of a cryptography-breaking QC becomes a credible threat, = the >>> Bitcoin ecosystem has no other option than softforking out the ability = to >>> spend from signature schemes (including ECDSA and BIP340) that are >>> vulnerable to QCs. The alternative is that millions of BTC become >>> vulnerable to theft; I cannot see how the currency can maintain any val= ue >>> at all in such a setting. And this affects everyone; even those which >>> diligently moved their coins to PQC-protected schemes." >>> - Pieter Wuille >> >> >> I don't think "confiscation" is the most precise term to use, as the >> funds are not being seized and reassigned. Rather, what we're really >> discussing would be better described as "burning" - placing the funds *o= ut >> of reach of everyone*. >> >> Not freezing user funds is one of Bitcoin's inviolable properties. >> However, if quantum computing becomes a threat to Bitcoin's elliptic cur= ve >> cryptography, *an inviolable property of Bitcoin will be violated one >> way or another*. >> >> Fundamental Properties at Risk >> 5 years ago I attempted to comprehensively categorize all of Bitcoin's >> fundamental properties that give it value. >> https://nakamoto.com/what-are-the-key-properties-of-bitcoin/ >> >> The particular properties in play with regard to this issue seem to be: >> >> *Censorship Resistance* - No one should have the power to prevent others >> from using their bitcoin or interacting with the network. >> >> *Forward Compatibility* - changing the rules such that certain valid >> transactions become invalid could undermine confidence in the protocol. >> >> *Conservatism* - Users should not be expected to be highly responsive to >> system issues. >> >> As a result of the above principles, we have developed a strong meme >> (kudos to Andreas Antonopoulos) that goes as follows: >> >> Not your keys, not your coins. >> >> >> I posit that the corollary to this principle is: >> >> Your keys, only your coins. >> >> >> A quantum capable entity breaks the corollary of this foundational >> principle. We secure our bitcoin with the mathematical probabilities >> related to extremely large random numbers. Your funds are only secure >> because truly random large numbers should not be guessable or discoverab= le >> by anyone else in the world. >> >> This is the principle behind the motto *vires in numeris* - strength in >> numbers. In a world with quantum enabled adversaries, this principle is >> null and void for many types of cryptography, including the elliptic cur= ve >> digital signatures used in Bitcoin. >> >> Who is at Risk? >> There has long been a narrative that Satoshi's coins and others from the >> Satoshi era of P2PK locking scripts that exposed the public key directly= on >> the blockchain will be those that get scooped up by a quantum "miner." B= ut >> unfortunately it's not that simple. If I had a powerful quantum computer= , >> which coins would I target? I'd go to the Bitcoin rich list and find the >> wallets that have exposed their public keys due to re-using addresses th= at >> have previously been spent from. You can easily find them at >> https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html >> >> Note that a few of these wallets, like Bitfinex / Kraken / Tether, would >> be slightly harder to crack because they are multisig wallets. So a quan= tum >> attacker would need to reverse engineer 2 keys for Kraken or 3 for Bitfi= nex >> / Tether in order to spend funds. But many are single signature. >> >> Point being, it's not only the really old lost BTC that are at risk to a >> quantum enabled adversary, at least at time of writing. If we add a quan= tum >> safe signature scheme, we should expect those wallets to be some of the >> first to upgrade given their incentives. >> >> The Ethical Dilemma: Quantifying Harm >> Which decision results in the most harm? >> >> By making quantum vulnerable funds unspendable we potentially harm some >> Bitcoin users who were not paying attention and neglected to migrate the= ir >> funds to a quantum safe locking script. This violates the "conservativis= m" >> principle stated earlier. On the flip side, we prevent those funds plus = far >> more lost funds from falling into the hands of the few privileged folks = who >> gain early access to quantum computers. >> >> By leaving quantum vulnerable funds available to spend, the same set of >> users who would otherwise have funds frozen are likely to see them stole= n. >> And many early adopters who lost their keys will eventually see their >> unreachable funds scooped up by a quantum enabled adversary. >> >> Imagine, for example, being James Howells, who accidentally threw away a >> hard drive with 8,000 BTC on it, currently worth over $600M USD. He has >> spent a decade trying to retrieve it from the landfill where he knows it= 's >> buried, but can't get permission to excavate. I suspect that, given the >> choice, he'd prefer those funds be permanently frozen rather than fall i= nto >> someone else's possession - I know I would. >> >> Allowing a quantum computer to access lost funds doesn't make those user= s >> any worse off than they were before, however it *would*have a negative >> impact upon everyone who is currently holding bitcoin. >> >> It's prudent to expect significant economic disruption if large amounts >> of coins fall into new hands. Since a quantum computer is going to have = a >> massive up front cost, expect those behind it to desire to recoup their >> investment. We also know from experience that when someone suddenly find= s >> themselves in possession of 9+ figures worth of highly liquid assets, th= ey >> tend to diversify into other things by selling. >> >> Allowing quantum recovery of bitcoin is *tantamount to wealth >> redistribution*. What we'd be allowing is for bitcoin to be >> redistributed from those who are ignorant of quantum computers to those = who >> have won the technological race to acquire quantum computers. It's hard = to >> see a bright side to that scenario. >> >> Is Quantum Recovery Good for Anyone? >> >> Does quantum recovery HELP anyone? I've yet to come across an argument >> that it's a net positive in any way. It certainly doesn't add any securi= ty >> to the network. If anything, it greatly decreases the security of the >> network by allowing funds to be claimed by those who did not earn them. >> >> But wait, you may be thinking, wouldn't quantum "miners" have earned >> their coins by all the work and resources invested in building a quantum >> computer? I suppose, in the same sense that a burglar earns their spoils= by >> the resources they invest into surveilling targets and learning the skil= ls >> needed to break into buildings. What I say "earned" I mean through >> productive mutual trade. >> >> For example: >> >> * Investors earn BTC by trading for other currencies. >> * Merchants earn BTC by trading for goods and services. >> * Miners earn BTC by trading thermodynamic security. >> * Quantum miners don't trade anything, they are vampires feeding upon th= e >> system. >> >> There's no reason to believe that allowing quantum adversaries to recove= r >> vulnerable bitcoin will be of benefit to anyone other than the select fe= w >> organizations that win the technological arms race to build the first su= ch >> computers. Probably nation states and/or the top few largest tech compan= ies. >> >> One could certainly hope that an organization with quantum supremacy is >> benevolent and acts in a "white hat" manner to return lost coins to thei= r >> owners, but that's incredibly optimistic and foolish to rely upon. Such = a >> situation creates an insurmountable ethical dilemma of only recovering l= ost >> bitcoin rather than currently owned bitcoin. There's no way to precisely >> differentiate between the two; anyone can claim to have lost their bitco= in >> but if they have lost their keys then proving they ever had the keys >> becomes rather difficult. I imagine that any such white hat recovery >> efforts would have to rely upon attestations from trusted third parties >> like exchanges. >> >> Even if the first actor with quantum supremacy is benevolent, we must >> assume the technology could fall into adversarial hands and thus think >> adversarially about the potential worst case outcomes. Imagine, for >> example, that North Korea continues scooping up billions of dollars from >> hacking crypto exchanges and decides to invest some of those proceeds in= to >> building a quantum computer for the biggest payday ever... >> >> Downsides to Allowing Quantum Recovery >> Let's think through an exhaustive list of pros and cons for allowing or >> preventing the seizure of funds by a quantum adversary. >> >> Historical Precedent >> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair ga= me" but >> rather were treated as failures to be remediated. Treating quantum theft >> differently risks rewriting Bitcoin=E2=80=99s history as a free-for-all = rather than >> a system that seeks to protect its users. >> >> Violation of Property Rights >> Allowing a quantum adversary to take control of funds undermines the >> fundamental principle of cryptocurrency - if you keep your keys in your >> possession, only you should be able to access your money. Bitcoin is bui= lt >> on the idea that private keys secure an individual=E2=80=99s assets, and >> unauthorized access (even via advanced tech) is theft, not a legitimate >> transfer. >> >> Erosion of Trust in Bitcoin >> If quantum attackers can exploit vulnerable addresses, confidence in >> Bitcoin as a secure store of value would collapse. Users and investors r= ely >> on cryptographic integrity, and widespread theft could drive adoption aw= ay >> from Bitcoin, destabilizing its ecosystem. >> >> This is essentially the counterpoint to claiming the burning of >> vulnerable funds is a violation of property rights. While some will >> certainly see it as such, others will find the apathy toward stopping >> quantum theft to be similarly concerning. >> >> Unfair Advantage >> Quantum attackers, likely equipped with rare and expensive technology, >> would have an unjust edge over regular users who lack access to such too= ls. >> This creates an inequitable system where only the technologically elite = can >> exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized p= ower. >> >> Bitcoin is designed to create an asymmetric advantage for DEFENDING one'= s >> wealth. It's supposed to be impractically expensive for attackers to cra= ck >> the entropy and cryptography protecting one's coins. But now we find >> ourselves discussing a situation where this asymmetric advantage is >> compromised in favor of a specific class of attackers. >> >> Economic Disruption >> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80=99= s price >> as quantum recovered funds are dumped on exchanges. This would harm all >> holders, not just those directly targeted, leading to broader financial >> chaos in the markets. >> >> Moral Responsibility >> Permitting theft via quantum computing sets a precedent that >> technological superiority justifies unethical behavior. This is essentia= lly >> taking a "code is law" stance in which we refuse to admit that both code >> and laws can be modified to adapt to previously unforeseen situations. >> >> Burning of coins can certainly be considered a form of theft, thus I >> think it's worth differentiating the two different thefts being discusse= d: >> >> 1. self-enriching & likely malicious >> 2. harm prevention & not necessarily malicious >> >> Both options lack the consent of the party whose coins are being burnt o= r >> transferred, thus I think the simple argument that theft is immoral beco= mes >> a wash and it's important to drill down into the details of each. >> >> Incentives Drive Security >> I can tell you from a decade of working in Bitcoin security - the averag= e >> user is lazy and is a procrastinator. If Bitcoiners are given a "drop de= ad >> date" after which they know vulnerable funds will be burned, this pressu= re >> accelerates the adoption of post-quantum cryptography and strengthens >> Bitcoin long-term. Allowing vulnerable users to delay upgrading >> indefinitely will result in more laggards, leaving the network more expo= sed >> when quantum tech becomes available. >> >> Steel Manning >> Clearly this is a complex and controversial topic, thus it's worth >> thinking through the opposing arguments. >> >> Protecting Property Rights >> Allowing quantum computers to take vulnerable bitcoin could potentially >> be spun as a hard money narrative - we care so greatly about not violati= ng >> someone's access to their coins that we allow them to be stolen! >> >> But I think the flip side to the property rights narrative is that >> burning vulnerable coins prevents said property from falling into >> undeserving hands. If the entire Bitcoin ecosystem just stands around an= d >> allows quantum adversaries to claim funds that rightfully belong to othe= r >> users, is that really a "win" in the "protecting property rights" catego= ry? >> It feels more like apathy to me. >> >> As such, I think the "protecting property rights" argument is a wash. >> >> Quantum Computers Won't Attack Bitcoin >> There is a great deal of skepticism that sufficiently powerful quantum >> computers will ever exist, so we shouldn't bother preparing for a >> non-existent threat. Others have argued that even if such a computer was >> built, a quantum attacker would not go after bitcoin because they wouldn= 't >> want to reveal their hand by doing so, and would instead attack other >> infrastructure. >> >> It's quite difficult to quantify exactly how valuable attacking other >> infrastructure would be. It also really depends upon when an entity gain= s >> quantum supremacy and thus if by that time most of the world's systems h= ave >> already been upgraded. While I think you could argue that certain entiti= es >> gaining quantum capability might not attack Bitcoin, it would only delay >> the inevitable - eventually somebody will achieve the capability who >> decides to use it for such an attack. >> >> Quantum Attackers Would Only Steal Small Amounts >> Some have argued that even if a quantum attacker targeted bitcoin, they'= d >> only go after old, likely lost P2PK outputs so as to not arouse suspicio= n >> and cause a market panic. >> >> I'm not so sure about that; why go after 50 BTC at a time when you could >> take 250,000 BTC with the same effort as 50 BTC? This is a classic "zero >> day exploit" game theory in which an attacker knows they have a limited >> amount of time before someone else discovers the exploit and either >> benefits from it or patches it. Take, for example, the recent ByBit atta= ck >> - the highest value crypto hack of all time. Lazarus Group had compromis= ed >> the Safe wallet front end JavaScript app and they could have simply had = it >> reassign ownership of everyone's Safe wallets as they were interacting w= ith >> their wallet. But instead they chose to only specifically target ByBit's >> wallet with $1.5 billion in it because they wanted to maximize their >> extractable value. If Lazarus had started stealing from every wallet, th= ey >> would have been discovered quickly and the Safe web app would likely hav= e >> been patched well before any billion dollar wallets executed the malicio= us >> code. >> >> I think the "only stealing small amounts" argument is strongest for >> Situation #2 described earlier, where a quantum attacker arrives before >> quantum safe cryptography has been deployed across the Bitcoin ecosystem= . >> Because if it became clear that Bitcoin's cryptography was broken AND th= ere >> was nowhere safe for vulnerable users to migrate, the only logical optio= n >> would be for everyone to liquidate their bitcoin as quickly as possible.= As >> such, I don't think it applies as strongly for situations in which we ha= ve >> a migration path available. >> >> The 21 Million Coin Supply Should be in Circulation >> Some folks are arguing that it's important for the "circulating / >> spendable" supply to be as close to 21M as possible and that having a >> significant portion of the supply out of circulation is somehow undesira= ble. >> >> While the "21M BTC" attribute is a strong memetic narrative, I don't >> think anyone has ever expected that it would all be in circulation. It h= as >> always been understood that many coins will be lost, and that's actually >> part of the game theory of owning bitcoin! >> >> And remember, the 21M number in and of itself is not a particularly >> important detail - it's not even mentioned in the whitepaper. What's >> important is that the supply is well known and not subject to change. >> >> Self-Sovereignty and Personal Responsibility >> Bitcoin=E2=80=99s design empowers individuals to control their own wealt= h, free >> from centralized intervention. This freedom comes with the burden of >> securing one's private keys. If quantum computing can break obsolete >> cryptography, the fault lies with users who didn't move their funds to >> quantum safe locking scripts. Expecting the network to shield users from >> their own negligence undermines the principle that you, and not a third >> party, are accountable for your assets. >> >> I think this is generally a fair point that "the community" doesn't owe >> you anything in terms of helping you. I think that we do, however, need = to >> consider the incentives and game theory in play with regard to quantum s= afe >> Bitcoiners vs quantum vulnerable Bitcoiners. More on that later. >> >> Code is Law >> Bitcoin operates on transparent, immutable rules embedded in its >> protocol. If a quantum attacker uses superior technology to derive priva= te >> keys from public keys, they=E2=80=99re not "hacking" the system - they'r= e simply >> following what's mathematically permissible within the current code. >> Altering the protocol to stop this introduces subjective human >> intervention, which clashes with the objective, deterministic nature of >> blockchain. >> >> While I tend to agree that code is law, one of the entire points of laws >> is that they can be amended to improve their efficacy in reducing harm. >> Leaning on this point seems more like a pro-ossification stance that it'= s >> better to do nothing and allow harm to occur rather than take action to >> stop an attack that was foreseen far in advance. >> >> Technological Evolution as a Feature, Not a Bug >> It's well known that cryptography tends to weaken over time and >> eventually break. Quantum computing is just the next step in this >> progression. Users who fail to adapt (e.g., by adopting quantum-resistan= t >> wallets when available) are akin to those who ignored technological >> advancements like multisig or hardware wallets. Allowing quantum theft >> incentivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic, p= unishing >> complacency while rewarding vigilance. >> >> Market Signals Drive Security >> If quantum attackers start stealing funds, it sends a clear signal to th= e >> market: upgrade your security or lose everything. This pressure accelera= tes >> the adoption of post-quantum cryptography and strengthens Bitcoin >> long-term. Coddling vulnerable users delays this necessary evolution, >> potentially leaving the network more exposed when quantum tech becomes >> widely accessible. Theft is a brutal but effective teacher. >> >> Centralized Blacklisting Power >> Burning vulnerable funds requires centralized decision-making - a soft >> fork to invalidate certain transactions. This sets a dangerous precedent >> for future interventions, eroding Bitcoin=E2=80=99s decentralization. If= quantum >> theft is blocked, what=E2=80=99s next - reversing exchange hacks? The sy= stem must >> remain neutral, even if it means some lose out. >> >> I think this could be a potential slippery slope if the proposal was to >> only burn specific addresses. Rather, I'd expect a neutral proposal to b= urn >> all funds in locking script types that are known to be quantum vulnerabl= e. >> Thus, we could eliminate any subjectivity from the code. >> >> Fairness in Competition >> Quantum attackers aren't cheating; they're using publicly available >> physics and math. Anyone with the resources and foresight can build or >> access quantum tech, just as anyone could mine Bitcoin in 2009 with a CP= U. >> Early adopters took risks and reaped rewards; quantum innovators are doi= ng >> the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has n= ever promised >> equality of outcome - only equality of opportunity within its rules. >> >> I find this argument to be a mischaracterization because we're not >> talking about CPUs. This is more akin to talking about ASICs, except eac= h >> ASIC costs millions if not billions of dollars. This is out of reach fro= m >> all but the wealthiest organizations. >> >> Economic Resilience >> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and >> emerged stronger. The market can absorb quantum losses, with unaffected >> users continuing to hold and new entrants buying in at lower prices. Fea= r >> of economic collapse overestimates the impact - the network=E2=80=99s an= tifragility >> thrives on such challenges. >> >> This is a big grey area because we don't know when a quantum computer >> will come online and we don't know how quickly said computers would be a= ble >> to steal bitcoin. If, for example, the first generation of sufficiently >> powerful quantum computers were stealing less volume than the current bl= ock >> reward then of course it will have minimal economic impact. But if they'= re >> taking thousands of BTC per day and bringing them back into circulation, >> there will likely be a noticeable market impact as it absorbs the new >> supply. >> >> This is where the circumstances will really matter. If a quantum attacke= r >> appears AFTER the Bitcoin protocol has been upgraded to support quantum >> resistant cryptography then we should expect the most valuable active >> wallets will have upgraded and the juiciest target would be the 31,000 B= TC >> in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant >> since 2010. In general I'd expect that the amount of BTC re-entering the >> circulating supply would look somewhat similar to the mining emission >> curve: volume would start off very high as the most valuable addresses a= re >> drained and then it would fall off as quantum computers went down the li= st >> targeting addresses with less and less BTC. >> >> Why is economic impact a factor worth considering? Miners and businesses >> in general. More coins being liquidated will push down the price, which >> will negatively impact miner revenue. Similarly, I can attest from worki= ng >> in the industry for a decade, that lower prices result in less demand fr= om >> businesses across the entire industry. As such, burning quantum vulnerab= le >> bitcoin is good for the entire industry. >> >> Practicality & Neutrality of Non-Intervention >> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D f= rom legitimate "white >> hat" key recovery. If someone loses their private key and a quantum >> computer recovers it, is that stealing or reclaiming? Policing quantum >> actions requires invasive assumptions about intent, which Bitcoin=E2=80= =99s >> trustless design can=E2=80=99t accommodate. Letting the chips fall where= they may >> avoids this mess. >> >> Philosophical Purity >> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outcome= s reflect >> preparation and skill, not sentimentality. If quantum computing upends t= he >> game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to be safe = or fair in a >> nanny-state sense; it=E2=80=99s meant to be free. Users who lose funds t= o quantum >> attacks are casualties of liberty and their own ignorance, not victims o= f >> injustice. >> >> Bitcoin's DAO Moment >> This situation has some similarities to The DAO hack of an Ethereum smar= t >> contract in 2016, which resulted in a fork to stop the attacker and retu= rn >> funds to their original owners. The game theory is similar because it's = a >> situation where a threat is known but there's some period of time before >> the attacker can actually execute the theft. As such, there's time to >> mitigate the attack by changing the protocol. >> >> It also created a schism in the community around the true meaning of >> "code is law," resulting in Ethereum Classic, which decided to allow the >> attacker to retain control of the stolen funds. >> >> A soft fork to burn vulnerable bitcoin could certainly result in a hard >> fork if there are enough miners who reject the soft fork and continue >> including transactions. >> >> Incentives Matter >> We can wax philosophical until the cows come home, but what are the >> actual incentives for existing Bitcoin holders regarding this decision? >> >> "Lost coins only make everyone else's coins worth slightly more. Think o= f >>> it as a donation to everyone." - Satoshi Nakamoto >> >> >> If true, the corollary is: >> >> "Quantum recovered coins only make everyone else's coins worth less. >>> Think of it as a theft from everyone." - Jameson Lopp >> >> >> Thus, assuming we get to a point where quantum resistant signatures are >> supported within the Bitcoin protocol, what's the incentive to let >> vulnerable coins remain spendable? >> >> * It's not good for the actual owners of those coins. It disincentivizes >> owners from upgrading until perhaps it's too late. >> * It's not good for the more attentive / responsible owners of coins who >> have quantum secured their stash. Allowing the circulating supply to >> balloon will assuredly reduce the purchasing power of all bitcoin holder= s. >> >> Forking Game Theory >> From a game theory point of view, I see this as incentivizing users to >> upgrade their wallets. If you disagree with the burning of vulnerable >> coins, all you have to do is move your funds to a quantum safe signature >> scheme. Point being, I don't see there being an economic majority (or ev= en >> more than a tiny minority) of users who would fight such a soft fork. Wh= y >> expend significant resources fighting a fork when you can just move your >> coins to a new address? >> >> Remember that blocking spending of certain classes of locking scripts is >> a tightening of the rules - a soft fork. As such, it can be meaningfully >> enacted and enforced by a mere majority of hashpower. If miners generall= y >> agree that it's in their best interest to burn vulnerable coins, are oth= er >> users going to care enough to put in the effort to run new node software >> that resists the soft fork? Seems unlikely to me. >> >> How to Execute Burning >> In order to be as objective as possible, the goal would be to announce t= o >> the world that after a specific block height / timestamp, Bitcoin nodes >> will no longer accept transactions (or blocks containing such transactio= ns) >> that spend funds from any scripts other than the newly instituted quantu= m >> safe schemes. >> >> It could take a staggered approach to first freeze funds that are >> susceptible to long-range attacks such as those in P2PK scripts or those >> that exposed their public keys due to previously re-using addresses, but= I >> expect the additional complexity would drive further controversy. >> >> How long should the grace period be in order to give the ecosystem time >> to upgrade? I'd say a minimum of 1 year for software wallets to upgrade.= We >> can only hope that hardware wallet manufacturers are able to implement p= ost >> quantum cryptography on their existing hardware with only a firmware upd= ate. >> >> Beyond that, it will take at least 6 months worth of block space for all >> users to migrate their funds, even in a best case scenario. Though if yo= u >> exclude dust UTXOs you could probably get 95% of BTC value migrated in 1 >> month. Of course this is a highly optimistic situation where everyone is >> completely focused on migrations - in reality it will take far longer. >> >> Regardless, I'd think that in order to reasonably uphold Bitcoin's >> conservatism it would be preferable to allow a 4 year migration window. = In >> the meantime, mining pools could coordinate emergency soft forking logic >> such that if quantum attackers materialized, they could accelerate the >> countdown to the quantum vulnerable funds burn. >> >> Random Tangential Benefits >> On the plus side, burning all quantum vulnerable bitcoin would allow us >> to prune all of those UTXOs out of the UTXO set, which would also clean = up >> a lot of dust. Dust UTXOs are a bit of an annoyance and there has even b= een >> a recent proposal for how to incentivize cleaning them up. >> >> We should also expect that incentivizing migration of the entire UTXO se= t >> will create substantial demand for block space that will sustain a fee >> market for a fairly lengthy amount of time. >> >> In Summary >> While the moral quandary of violating any of Bitcoin's inviolable >> properties can make this a very complex issue to discuss, the game theor= y >> and incentives between burning vulnerable coins versus allowing them to = be >> claimed by entities with quantum supremacy appears to be a much simpler >> issue. >> >> I, for one, am not interested in rewarding quantum capable entities by >> inflating the circulating money supply just because some people lost the= ir >> keys long ago and some laggards are not upgrading their bitcoin wallet's >> security. >> >> We can hope that this scenario never comes to pass, but hope is not a >> strategy. >> >> I welcome your feedback upon any of the above points, and contribution o= f >> any arguments I failed to consider. >> >> -- >> You received this message because you are subscribed to the Google Group= s >> "Bitcoin Development Mailing List" group. >> To unsubscribe from this group and stop receiving emails from it, send a= n >> email to bitcoindev+unsubscribe@googlegroups.com. >> To view this discussion visit >> https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8n= A_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com >> . >> >> -- >> You received this message because you are subscribed to the Google Group= s >> "Bitcoin Development Mailing List" group. >> To unsubscribe from this group and stop receiving emails from it, send a= n >> email to bitcoindev+unsubscribe@googlegroups.com. >> To view this discussion visit >> https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9= D2B732364%40astrotown.de >> . > > >> -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6m= Coe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com > . > > > -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXn= iazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmi= CJOY%3D%40proton.me > > . > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CAC3UE4%2BDR%3DDQqtT%2BX0SYvH1XCVnmatD7frcHC5dtdVAef39UnQ%40mail.gmail.com. --000000000000ae2c4f0635fdd818 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The difference between the ETH/ETC split though was that = no one had anything confiscated except the DAO hacker, everyone retained an= identical number of tokens on each chain. The proposal for BTC is very dif= ferent in that some holders will lose access to their coins during the PQ m= igration under the confiscation approach. Just wanted to point that out.

On Sun, May 25, 2025 at 3:06=E2=80=AFPM 'condui= tion' via Bitcoin Development Mailing List <bitcoindev@googlegroups.com> wrote:
=
Hey Saulo,

You&#= 39;re right about the possibility of an ugly split. Laggards who don't = move coins to PQ address schemes will be incentivized to follow any chain w= here they keep their coins. But those who do migrate will be incentivized t= o follow the chain where unmigrated pre-quantum coins are frozen.=C2=A0

While you're com= paring this event to the ETH/ETC split, we should remember that ETH remaine= d the dominant chain despite their heavy-handed rollback. Just goes to show= , confusion and face-loss is a lesser evil than allowing an adversary to pw= n the network.=C2=A0

This is= the free-market way to solve problems without imposing rules on everyone.<= br>

= It'd still be a free market even if quantum-vulnerable coins are frozen= . The only way to test the relative value of quantum-safe vs quantum-vulner= able coins is to split the chain and see how the market reacts.=C2=A0
=

IMO, the "free ma= rket way" is to give people options and let their money flow to where = it works best. That means people should be able to choose whether they want= their money to be part of a system that allows quantum attack, or part of = one which does not. I know which I would choose, but neither you nor I can = make that choice for everyone.

regards,
conduition
On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz <agustin.cruz@gmail.com> wrote:
I=E2=80=99m against letting q= uantum computers scoop up funds from addresses that don=E2=80=99t upgrade t= o quantum-resistant.
Saulo=E2=80=99s idea of a free-market approach, le= aving old coins up for grabs if people don=E2=80=99t move them, sounds fair= at first. Let luck decide, right? But I worry it=E2=80=99d turn into a mes= s. If quantum machines start cracking keys and snagging coins, it=E2=80=99s= not just lost Satoshi-era stuff at risk. Plenty of active wallets, like th= ose on the rich list Jameson mentioned, could get hit too. Imagine millions= of BTC flooding the market. Prices tank, trust in Bitcoin takes a dive, an= d we all feel the pain. Freezing those vulnerable funds keeps that chaos in= check.
Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80= =99s heart. If quantum tech can steal from you just because you didn=E2=80= =99t upgrade fast enough, that promise feels shaky. Freezing funds after a = heads-up period (say, four years) protects that idea better than letting te= ch giants or rogue states play vampire with our network. It also nudges peo= ple to get their act together and move to safer addresses, which strengthen= s Bitcoin long-term.
Saulo=E2=80=99s right that freezing coins could con= fuse folks or spark a split like Ethereum Classic. But I=E2=80=99d argue qu= antum theft would look worse. Bitcoin would seem broken, not just strict. A= clear plan and enough time to migrate could smooth things over. History=E2= =80=99s on our side too. Bitcoin=E2=80=99s fixed bugs before, like SegWit. = This feels like that, not a bailout.
So yeah, I=E2=80=99d rather see vul= nerable coins locked than handed to whoever builds the first quantum rig. I= t=E2=80=99s less about coddling people and more about keeping Bitcoin solid= for everyone. What do you all think?
Cheers,
Agust=C3=ADn


On = Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown <saulo= @astrotown.de> wrote:
I believe that having some = entity announce the decision to freeze old UTXOs would be more damaging to = Bitcoin=E2=80=99s image (and its value) than having them gathered by QC. Th= is would create another version of Bitcoin, similar to Ethereum Classic, ca= using confusion in the market.

It would be better to = simply implement the possibility of moving funds to a PQC address without a= deadline, allowing those who fail to do so to rely on luck to avoid having= their coins stolen. Most coins would be migrated to PQC anyway, and in mos= t cases, only the lost ones would remain vulnerable. This is the free-marke= t way to solve problems without imposing rules on everyone.

Saulo Fonse= ca


On 16. Mar 2025, at 15:15, Jameso= n Lopp <jameson.lopp@gmail.com<= /a>> wrote:

The quantum computing = debate is heating up. There are many controversial aspects to this debate, = including whether or not quantum computers will ever actually become a prac= tical threat.

I won't tread into the unanswerable question of h= ow worried we should be about quantum computers. I think it's far from = a crisis, but given the difficulty in changing Bitcoin it's worth start= ing to seriously discuss. Today I wish to focus on a philosophical quandary= related to one of the decisions that would need to be made if and when we = implement a quantum safe signature scheme.

Several Scenarios
Because this essay will refe= rence game theory a fair amount, and there are many variables at play that = could change the nature of the game, I think it's important to clarify = the possible scenarios up front.

1. Quantum computing never material= izes, never becomes a threat, and thus everything discussed in this essay i= s moot.
2. A quantum computing threat materializes suddenly and Bitcoin = does not have quantum safe signatures as part of the protocol. In this scen= ario it would likely make the points below moot because Bitcoin would be fu= ndamentally broken and it would take far too long to upgrade the protocol, = wallet software, and migrate user funds in order to restore confidence in t= he network.
3. Quantum computing advances slowly enough that we come to = consensus about how to upgrade Bitcoin and post quantum security has been m= inimally adopted by the time an attacker appears.
4. Quantum computing a= dvances slowly enough that we come to consensus about how to upgrade Bitcoi= n and post quantum security has been highly adopted by the time an attacker= appears.

For the purposes of this post, I'm envisioning being i= n situation 3 or 4.

To F= reeze or not to Freeze?
I've started seeing more people weigh= ing in on what is likely the most contentious aspect of how a quantum resis= tance upgrade should be handled in terms of migrating user funds. Should qu= antum vulnerable funds be left open to be swept by anyone with a sufficient= ly powerful quantum computer OR should they be permanently locked?

<= blockquote style=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-c= olor:rgb(204,204,204)" class=3D"gmail_quote">"I don't see why old = coins should be confiscated. The better option is to let those with quantum= computers free up old coins. While this might have an inflationary impact = on bitcoin's price, to use a turn of phrase, the inflation is transitor= y. Those with low time preference should support returning lost coins to ci= rculation."
- Hunter Beast

On the other hand:
"Of course they have to= be confiscated. If and when (and that's a big if) the existence of a c= ryptography-breaking QC becomes a credible threat, the Bitcoin ecosystem ha= s no other option than softforking out the ability to spend from signature = schemes (including ECDSA and BIP340) that are vulnerable to QCs. The altern= ative is that millions of BTC become vulnerable to theft; I cannot see how = the currency can maintain any value at all in such a setting. And this affe= cts everyone; even those which diligently moved their coins to PQC-protecte= d schemes."
- Pieter Wuille

I don't think "= ;confiscation" is the most precise term to use, as the funds are not b= eing seized and reassigned. Rather, what we're really discussing would = be better described as "burning" - placing the funds out of re= ach of everyone.

Not freezing user funds is one of Bitcoin's= inviolable properties. However, if quantum computing becomes a threat to B= itcoin's elliptic curve cryptography, an inviolable property of Bitc= oin will be violated one way or another.

Fundamental Properties at Risk
5 years ago = I attempted to comprehensively categorize all of Bitcoin's fundamental = properties that give it value. https://nakamoto.com/what-are-the-key-properties-of-bitcoin/

The particular properties in play with regard to this issue seem to b= e:

Censorship Resistance - No one should have the power to pr= event others from using their bitcoin or interacting with the network.
<= br>Forward Compatibility - changing the rules such that certain vali= d transactions become invalid could undermine confidence in the protocol.
Conservatism - Users should not be expected to be highly respo= nsive to system issues.

As a result of the above principles, we have= developed a strong meme (kudos to Andreas Antonopoulos) that goes as follo= ws:

Not your keys, not= your coins.

I posit that the corollary to this principle i= s:

Your keys, only you= r coins.

A quantum capable entity breaks the corollary of t= his foundational principle. We secure our bitcoin with the mathematical pro= babilities related to extremely large random numbers. Your funds are only s= ecure because truly random large numbers should not be guessable or discove= rable by anyone else in the world.

This is the principle behind the = motto vires in numeris - strength in numbers. In a world with quantu= m enabled adversaries, this principle is null and void for many types of cr= yptography, including the elliptic curve digital signatures used in Bitcoin= .

Who is at Risk?
There has long been a narrative that Satoshi's coins and others fro= m the Satoshi era of P2PK locking scripts that exposed the public key direc= tly on the blockchain will be those that get scooped up by a quantum "= miner." But unfortunately it's not that simple. If I had a powerfu= l quantum computer, which coins would I target? I'd go to the Bitcoin r= ich list and find the wallets that have exposed their public keys due to re= -using addresses that have previously been spent from. You can easily find = them at https://bi= tinfocharts.com/top-100-richest-bitcoin-addresses.html

Note that= a few of these wallets, like Bitfinex / Kraken / Tether, would be slightly= harder to crack because they are multisig wallets. So a quantum attacker w= ould need to reverse engineer 2 keys for Kraken or 3 for Bitfinex / Tether = in order to spend funds. But many are single signature.

Point being,= it's not only the really old lost BTC that are at risk to a quantum en= abled adversary, at least at time of writing. If we add a quantum safe sign= ature scheme, we should expect those wallets to be some of the first to upg= rade given their incentives.

The Ethical Dilemma: Quantifying Harm
Which decision results= in the most harm?

By making quantum vulnerable funds unspendable we= potentially harm some Bitcoin users who were not paying attention and negl= ected to migrate their funds to a quantum safe locking script. This violate= s the "conservativism" principle stated earlier. On the flip side= , we prevent those funds plus far more lost funds from falling into the han= ds of the few privileged folks who gain early access to quantum computers.<= br>
By leaving quantum vulnerable funds available to spend, the same set= of users who would otherwise have funds frozen are likely to see them stol= en. And many early adopters who lost their keys will eventually see their u= nreachable funds scooped up by a quantum enabled adversary.

Imagine,= for example, being James Howells, who accidentally threw away a hard drive= with 8,000 BTC on it, currently worth over $600M USD. He has spent a decad= e trying to retrieve it from the landfill where he knows it's buried, b= ut can't get permission to excavate. I suspect that, given the choice, = he'd prefer those funds be permanently frozen rather than fall into som= eone else's possession - I know I would.

Allowing a quantum comp= uter to access lost funds doesn't make those users any worse off than t= hey were before, however it wouldhave a negative impact upon everyon= e who is currently holding bitcoin.

It's prudent to expect signi= ficant economic disruption if large amounts of coins fall into new hands. S= ince a quantum computer is going to have a massive up front cost, expect th= ose behind it to desire to recoup their investment. We also know from exper= ience that when someone suddenly finds themselves in possession of 9+ figur= es worth of highly liquid assets, they tend to diversify into other things = by selling.

Allowing quantum recovery of bitcoin is tantamount to= wealth redistribution. What we'd be allowing is for bitcoin to be = redistributed from those who are ignorant of quantum computers to those who= have won the technological race to acquire quantum computers. It's har= d to see a bright side to that scenario.

Is Quantum Recovery Good for Anyone?

Does qu= antum recovery HELP anyone? I've yet to come across an argument that it= 's a net positive in any way. It certainly doesn't add any security= to the network. If anything, it greatly decreases the security of the netw= ork by allowing funds to be claimed by those who did not earn them.

= But wait, you may be thinking, wouldn't quantum "miners" have= earned their coins by all the work and resources invested in building a qu= antum computer? I suppose, in the same sense that a burglar earns their spo= ils by the resources they invest into surveilling targets and learning the = skills needed to break into buildings. What I say "earned" I mean= through productive mutual trade.

For example:

* Investors ea= rn BTC by trading for other currencies.
* Merchants earn BTC by trading = for goods and services.
* Miners earn BTC by trading thermodynamic secur= ity.
* Quantum miners don't trade anything, they are vampires feedin= g upon the system.

There's no reason to believe that allowing qu= antum adversaries to recover vulnerable bitcoin will be of benefit to anyon= e other than the select few organizations that win the technological arms r= ace to build the first such computers. Probably nation states and/or the to= p few largest tech companies.

One could certainly hope that an organ= ization with quantum supremacy is benevolent and acts in a "white hat&= quot; manner to return lost coins to their owners, but that's incredibl= y optimistic and foolish to rely upon. Such a situation creates an insurmou= ntable ethical dilemma of only recovering lost bitcoin rather than currentl= y owned bitcoin. There's no way to precisely differentiate between the = two; anyone can claim to have lost their bitcoin but if they have lost thei= r keys then proving they ever had the keys becomes rather difficult. I imag= ine that any such white hat recovery efforts would have to rely upon attest= ations from trusted third parties like exchanges.

Even if the first = actor with quantum supremacy is benevolent, we must assume the technology c= ould fall into adversarial hands and thus think adversarially about the pot= ential worst case outcomes. Imagine, for example, that North Korea continue= s scooping up billions of dollars from hacking crypto exchanges and decides= to invest some of those proceeds into building a quantum computer for the = biggest payday ever...

D= ownsides to Allowing Quantum Recovery
Let's think through an = exhaustive list of pros and cons for allowing or preventing the seizure of = funds by a quantum adversary.

Historical Precedent
Previous protocol vulnerabilities were= n=E2=80=99t celebrated as "fair game" but rather were treated as = failures to be remediated. Treating quantum theft differently risks rewriti= ng Bitcoin=E2=80=99s history as a free-for-all rather than a system that se= eks to protect its users.

Violation of Property Rights
Allowing a quantum adversary to ta= ke control of funds undermines the fundamental principle of cryptocurrency = - if you keep your keys in your possession, only you should be able to acce= ss your money. Bitcoin is built on the idea that private keys secure an ind= ividual=E2=80=99s assets, and unauthorized access (even via advanced tech) = is theft, not a legitimate transfer.

Erosion of Trust in Bitcoin
If quantum attackers can= exploit vulnerable addresses, confidence in Bitcoin as a secure store of v= alue would collapse. Users and investors rely on cryptographic integrity, a= nd widespread theft could drive adoption away from Bitcoin, destabilizing i= ts ecosystem.

This is essentially the counterpoint to claiming the b= urning of vulnerable funds is a violation of property rights. While some wi= ll certainly see it as such, others will find the apathy toward stopping qu= antum theft to be similarly concerning.

Unfair Advantage
Quantum attackers, likely equipp= ed with rare and expensive technology, would have an unjust edge over regul= ar users who lack access to such tools. This creates an inequitable system = where only the technologically elite can exploit others, contradicting Bitc= oin=E2=80=99s ethos of decentralized power.

Bitcoin is designed to c= reate an asymmetric advantage for DEFENDING one's wealth. It's supp= osed to be impractically expensive for attackers to crack the entropy and c= ryptography protecting one's coins. But now we find ourselves discussin= g a situation where this asymmetric advantage is compromised in favor of a = specific class of attackers.

Economic Disruption
Large-scale theft from vulnerable addres= ses could crash Bitcoin=E2=80=99s price as quantum recovered funds are dump= ed on exchanges. This would harm all holders, not just those directly targe= ted, leading to broader financial chaos in the markets.

Moral Responsibility
Permitting= theft via quantum computing sets a precedent that technological superiorit= y justifies unethical behavior. This is essentially taking a "code is = law" stance in which we refuse to admit that both code and laws can be= modified to adapt to previously unforeseen situations.

Burning of c= oins can certainly be considered a form of theft, thus I think it's wor= th differentiating the two different thefts being discussed:

1. self= -enriching & likely malicious
2. harm prevention & not necessari= ly malicious

Both options lack the consent of the party whose coins = are being burnt or transferred, thus I think the simple argument that theft= is immoral becomes a wash and it's important to drill down into the de= tails of each.

Incentive= s Drive Security
I can tell you from a decade of working in Bitco= in security - the average user is lazy and is a procrastinator. If Bitcoine= rs are given a "drop dead date" after which they know vulnerable = funds will be burned, this pressure accelerates the adoption of post-quantu= m cryptography and strengthens Bitcoin long-term. Allowing vulnerable users= to delay upgrading indefinitely will result in more laggards, leaving the = network more exposed when quantum tech becomes available.

Steel Manning
Clearly this is a= complex and controversial topic, thus it's worth thinking through the = opposing arguments.

Prot= ecting Property Rights
Allowing quantum computers to take vulnera= ble bitcoin could potentially be spun as a hard money narrative - we care s= o greatly about not violating someone's access to their coins that we a= llow them to be stolen!

But I think the flip side to the property ri= ghts narrative is that burning vulnerable coins prevents said property from= falling into undeserving hands. If the entire Bitcoin ecosystem just stand= s around and allows quantum adversaries to claim funds that rightfully belo= ng to other users, is that really a "win" in the "protecting= property rights" category? It feels more like apathy to me.

As= such, I think the "protecting property rights" argument is a was= h.

Quantum Computers Won= 't Attack Bitcoin
There is a great deal of skepticism that su= fficiently powerful quantum computers will ever exist, so we shouldn't = bother preparing for a non-existent threat. Others have argued that even if= such a computer was built, a quantum attacker would not go after bitcoin b= ecause they wouldn't want to reveal their hand by doing so, and would i= nstead attack other infrastructure.

It's quite difficult to quan= tify exactly how valuable attacking other infrastructure would be. It also = really depends upon when an entity gains quantum supremacy and thus if by t= hat time most of the world's systems have already been upgraded. While = I think you could argue that certain entities gaining quantum capability mi= ght not attack Bitcoin, it would only delay the inevitable - eventually som= ebody will achieve the capability who decides to use it for such an attack.=

Quantum Attackers Would= Only Steal Small Amounts
Some have argued that even if a quantum= attacker targeted bitcoin, they'd only go after old, likely lost P2PK = outputs so as to not arouse suspicion and cause a market panic.

I= 9;m not so sure about that; why go after 50 BTC at a time when you could ta= ke 250,000 BTC with the same effort as 50 BTC? This is a classic "zero= day exploit" game theory in which an attacker knows they have a limit= ed amount of time before someone else discovers the exploit and either bene= fits from it or patches it. Take, for example, the recent ByBit attack - th= e highest value crypto hack of all time. Lazarus Group had compromised the = Safe wallet front end JavaScript app and they could have simply had it reas= sign ownership of everyone's Safe wallets as they were interacting with= their wallet. But instead they chose to only specifically target ByBit'= ;s wallet with $1.5 billion in it because they wanted to maximize their ext= ractable value. If Lazarus had started stealing from every wallet, they wou= ld have been discovered quickly and the Safe web app would likely have been= patched well before any billion dollar wallets executed the malicious code= .

I think the "only stealing small amounts" argument is st= rongest for Situation #2 described earlier, where a quantum attacker arrive= s before quantum safe cryptography has been deployed across the Bitcoin eco= system. Because if it became clear that Bitcoin's cryptography was brok= en AND there was nowhere safe for vulnerable users to migrate, the only log= ical option would be for everyone to liquidate their bitcoin as quickly as = possible. As such, I don't think it applies as strongly for situations = in which we have a migration path available.

The 21 Million Coin Supply Should be in Circulation
Some folks are arguing that it's important for the "circu= lating / spendable" supply to be as close to 21M as possible and that = having a significant portion of the supply out of circulation is somehow un= desirable.

While the "21M BTC" attribute is a strong memet= ic narrative, I don't think anyone has ever expected that it would all = be in circulation. It has always been understood that many coins will be lo= st, and that's actually part of the game theory of owning bitcoin!
<= br>And remember, the 21M number in and of itself is not a particularly impo= rtant detail - it's not even mentioned in the whitepaper. What's im= portant is that the supply is well known and not subject to change.

= Self-Sovereignty and Personal R= esponsibility
Bitcoin=E2=80=99s design empowers individuals to co= ntrol their own wealth, free from centralized intervention. This freedom co= mes with the burden of securing one's private keys. If quantum computin= g can break obsolete cryptography, the fault lies with users who didn't= move their funds to quantum safe locking scripts. Expecting the network to= shield users from their own negligence undermines the principle that you, = and not a third party, are accountable for your assets.

I think this= is generally a fair point that "the community" doesn't owe y= ou anything in terms of helping you. I think that we do, however, need to c= onsider the incentives and game theory in play with regard to quantum safe = Bitcoiners vs quantum vulnerable Bitcoiners. More on that later.

Code is Law
Bitcoin oper= ates on transparent, immutable rules embedded in its protocol. If a quantum= attacker uses superior technology to derive private keys from public keys,= they=E2=80=99re not "hacking" the system - they're simply fo= llowing what's mathematically permissible within the current code. Alte= ring the protocol to stop this introduces subjective human intervention, wh= ich clashes with the objective, deterministic nature of blockchain.

= While I tend to agree that code is law, one of the entire points of laws is= that they can be amended to improve their efficacy in reducing harm. Leani= ng on this point seems more like a pro-ossification stance that it's be= tter to do nothing and allow harm to occur rather than take action to stop = an attack that was foreseen far in advance.

Technological Evolution as a Feature, Not a Bug
It's well known that cryptography tends to weaken over time and ev= entually break. Quantum computing is just the next step in this progression= . Users who fail to adapt (e.g., by adopting quantum-resistant wallets when= available) are akin to those who ignored technological advancements like m= ultisig or hardware wallets. Allowing quantum theft incentivizes innovation= and keeps Bitcoin=E2=80=99s ecosystem dynamic, punishing complacency while= rewarding vigilance.

Ma= rket Signals Drive Security
If quantum attackers start stealing f= unds, it sends a clear signal to the market: upgrade your security or lose = everything. This pressure accelerates the adoption of post-quantum cryptogr= aphy and strengthens Bitcoin long-term. Coddling vulnerable users delays th= is necessary evolution, potentially leaving the network more exposed when q= uantum tech becomes widely accessible. Theft is a brutal but effective teac= her.

Centralized Blackli= sting Power
Burning vulnerable funds requires centralized decisio= n-making - a soft fork to invalidate certain transactions. This sets a dang= erous precedent for future interventions, eroding Bitcoin=E2=80=99s decentr= alization. If quantum theft is blocked, what=E2=80=99s next - reversing exc= hange hacks? The system must remain neutral, even if it means some lose out= .

I think this could be a potential slippery slope if the proposal w= as to only burn specific addresses. Rather, I'd expect a neutral propos= al to burn all funds in locking script types that are known to be quantum v= ulnerable. Thus, we could eliminate any subjectivity from the code.

= Fairness in Competition<= br>Quantum attackers aren't cheating; they're using publicly availa= ble physics and math. Anyone with the resources and foresight can build or = access quantum tech, just as anyone could mine Bitcoin in 2009 with a CPU. = Early adopters took risks and reaped rewards; quantum innovators are doing = the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has neve= r promised equality of outcome - only equality of opportunity within its ru= les.

I find this argument to be a mischaracterization because we'= ;re not talking about CPUs. This is more akin to talking about ASICs, excep= t each ASIC costs millions if not billions of dollars. This is out of reach= from all but the wealthiest organizations.

Economic Resilience
Bitcoin has weathered t= hefts before (MTGOX, Bitfinex, FTX, etc) and emerged stronger. The market c= an absorb quantum losses, with unaffected users continuing to hold and new = entrants buying in at lower prices. Fear of economic collapse overestimates= the impact - the network=E2=80=99s antifragility thrives on such challenge= s.

This is a big grey area because we don't know when a quantum = computer will come online and we don't know how quickly said computers = would be able to steal bitcoin. If, for example, the first generation of su= fficiently powerful quantum computers were stealing less volume than the cu= rrent block reward then of course it will have minimal economic impact. But= if they're taking thousands of BTC per day and bringing them back into= circulation, there will likely be a noticeable market impact as it absorbs= the new supply.

This is where the circumstances will really matter.= If a quantum attacker appears AFTER the Bitcoin protocol has been upgraded= to support quantum resistant cryptography then we should expect the most v= aluable active wallets will have upgraded and the juiciest target would be = the 31,000 BTC in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has = been dormant since 2010. In general I'd expect that the amount of BTC r= e-entering the circulating supply would look somewhat similar to the mining= emission curve: volume would start off very high as the most valuable addr= esses are drained and then it would fall off as quantum computers went down= the list targeting addresses with less and less BTC.

Why is economi= c impact a factor worth considering? Miners and businesses in general. More= coins being liquidated will push down the price, which will negatively imp= act miner revenue. Similarly, I can attest from working in the industry for= a decade, that lower prices result in less demand from businesses across t= he entire industry. As such, burning quantum vulnerable bitcoin is good for= the entire industry.

Pr= acticality & Neutrality of Non-Intervention
There=E2=80=99s n= o reliable way to distinguish =E2=80=9Ctheft=E2=80=9D from legitimate "= ;white hat" key recovery. If someone loses their private key and a qua= ntum computer recovers it, is that stealing or reclaiming? Policing quantum= actions requires invasive assumptions about intent, which Bitcoin=E2=80=99= s trustless design can=E2=80=99t accommodate. Letting the chips fall where = they may avoids this mess.

Philosophical Purity
Bitcoin rejects bailouts. It=E2=80=99s a = cold, hard system where outcomes reflect preparation and skill, not sentime= ntality. If quantum computing upends the game, that=E2=80=99s the point - B= itcoin isn=E2=80=99t meant to be safe or fair in a nanny-state sense; it=E2= =80=99s meant to be free. Users who lose funds to quantum attacks are casua= lties of liberty and their own ignorance, not victims of injustice.

= Bitcoin's DAO Moment=
This situation has some similarities to The DAO hack of an Ethereum sma= rt contract in 2016, which resulted in a fork to stop the attacker and retu= rn funds to their original owners. The game theory is similar because it= 9;s a situation where a threat is known but there's some period of time= before the attacker can actually execute the theft. As such, there's t= ime to mitigate the attack by changing the protocol.

It also created= a schism in the community around the true meaning of "code is law,&qu= ot; resulting in Ethereum Classic, which decided to allow the attacker to r= etain control of the stolen funds.

A soft fork to burn vulnerable bi= tcoin could certainly result in a hard fork if there are enough miners who = reject the soft fork and continue including transactions.

Incentives Matter
We can wax ph= ilosophical until the cows come home, but what are the actual incentives fo= r existing Bitcoin holders regarding this decision?

"Lost coins only make everyone else'= s coins worth slightly more. Think of it as a donation to everyone." -= Satoshi Nakamoto

If true, the corollary is:

"Quantum recovered coins only m= ake everyone else's coins worth less. Think of it as a theft from every= one." - Jameson Lopp

Thus, assuming we get to a point = where quantum resistant signatures are supported within the Bitcoin protoco= l, what's the incentive to let vulnerable coins remain spendable?
* It's not good for the actual owners of those coins. It disincentivi= zes owners from upgrading until perhaps it's too late.
* It's no= t good for the more attentive / responsible owners of coins who have quantu= m secured their stash. Allowing the circulating supply to balloon will assu= redly reduce the purchasing power of all bitcoin holders.

Forking Game Theory
From a game= theory point of view, I see this as incentivizing users to upgrade their w= allets. If you disagree with the burning of vulnerable coins, all you have = to do is move your funds to a quantum safe signature scheme. Point being, I= don't see there being an economic majority (or even more than a tiny m= inority) of users who would fight such a soft fork. Why expend significant = resources fighting a fork when you can just move your coins to a new addres= s?

Remember that blocking spending of certain classes of locking scr= ipts is a tightening of the rules - a soft fork. As such, it can be meaning= fully enacted and enforced by a mere majority of hashpower. If miners gener= ally agree that it's in their best interest to burn vulnerable coins, a= re other users going to care enough to put in the effort to run new node so= ftware that resists the soft fork? Seems unlikely to me.

How to Execute Burning
In order= to be as objective as possible, the goal would be to announce to the world= that after a specific block height / timestamp, Bitcoin nodes will no long= er accept transactions (or blocks containing such transactions) that spend = funds from any scripts other than the newly instituted quantum safe schemes= .

It could take a staggered approach to first freeze funds that are = susceptible to long-range attacks such as those in P2PK scripts or those th= at exposed their public keys due to previously re-using addresses, but I ex= pect the additional complexity would drive further controversy.

How = long should the grace period be in order to give the ecosystem time to upgr= ade? I'd say a minimum of 1 year for software wallets to upgrade. We ca= n only hope that hardware wallet manufacturers are able to implement post q= uantum cryptography on their existing hardware with only a firmware update.=

Beyond that, it will take at least 6 months worth of block space fo= r all users to migrate their funds, even in a best case scenario. Though if= you exclude dust UTXOs you could probably get 95% of BTC value migrated in= 1 month. Of course this is a highly optimistic situation where everyone is= completely focused on migrations - in reality it will take far longer.
=
Regardless, I'd think that in order to reasonably uphold Bitcoin= 9;s conservatism it would be preferable to allow a 4 year migration window.= In the meantime, mining pools could coordinate emergency soft forking logi= c such that if quantum attackers materialized, they could accelerate the co= untdown to the quantum vulnerable funds burn.

Random Tangential Benefits
On the plus side= , burning all quantum vulnerable bitcoin would allow us to prune all of tho= se UTXOs out of the UTXO set, which would also clean up a lot of dust. Dust= UTXOs are a bit of an annoyance and there has even been a recent proposal = for how to incentivize cleaning them up.

We should also expect that = incentivizing migration of the entire UTXO set will create substantial dema= nd for block space that will sustain a fee market for a fairly lengthy amou= nt of time.

In Summary
While the moral quandary of violating any of Bitcoin's inviola= ble properties can make this a very complex issue to discuss, the game theo= ry and incentives between burning vulnerable coins versus allowing them to = be claimed by entities with quantum supremacy appears to be a much simpler = issue.

I, for one, am not interested in rewarding quantum capable en= tities by inflating the circulating money supply just because some people l= ost their keys long ago and some laggards are not upgrading their bitcoin w= allet's security.

We can hope that this scenario never comes to = pass, but hope is not a strategy.

I welcome your feedback upon any o= f the above points, and contribution of any arguments I failed to consider.=

--
You received this message because you are= subscribed to the Google Groups "Bitcoin Development Mailing List&quo= t; group.
To unsubscribe from this group and stop receiving emails from = it, send an email to bitcoindev+unsu= bscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAD= L_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googl= egroups.com.
To view this discussion visit https://groups.google.com/d/msg= id/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astrotown.de.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googl= egroups.com.
To view this discussion visit https://= groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa= _yZDwmwx6U_eO5JhZLg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/m= sgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0= GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40proton.me.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.co= m/d/msgid/bitcoindev/CAC3UE4%2BDR%3DDQqtT%2BX0SYvH1XCVnmatD7frcHC5dtdVAef39= UnQ%40mail.gmail.com.
--000000000000ae2c4f0635fdd818--